Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Fri, 12 Aug 2016 11:33:53 -0700 

This looks suspicious

   /Aug 12 08:45:00 sudo[31732] val[0]=+office//
   //Aug 12 08:45:00 sudo[31732] -> addr_matches @
   /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:195//
   //Aug 12 08:45:00 sudo[31732] -> addr_matches_if @
   /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:56//
   //Aug 12 08:45:00 sudo[31732] <- addr_matches_if @
   /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:66 :=
   false//
   //Aug 12 08:45:00 sudo[31732] IP address +office matches local host:
   false @ addr_matches()
   /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:206//
   //Aug 12 08:45:00 sudo[31732] <- addr_matches @
   /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:207 :=
   false//
   //Aug 12 08:45:00 sudo[31732] -> netgr_matches @
   /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1015//
   //Aug 12 08:45:00 sudo[31732] -> sudo_getdomainname @
   /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:953//
   //Aug 12 08:45:00 sudo[31732] <- sudo_getdomainname @
   /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:992 := (null)//
   //Aug 12 08:45:00 sudo[31732] netgroup office matches
   (//docker-dev-01.internal.emerlyn.com
   
<http://docker-dev-01.internal.emerlyn.com>//|//docker-dev-01.internal.emerlyn.com
   <http://docker-dev-01.internal.emerlyn.com>//, jgoddard, ): false @
   netgr_matches()
   /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1041//
   //Aug 12 08:45:00 sudo[31732] <- netgr_matches @
   /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1044 := false//
   //Aug 12 08:45:00 sudo[31732] -> hostname_matches @
   /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:819//
   //Aug 12 08:45:00 sudo[31732] host
   //docker-dev-01.internal.emerlyn.com
   <http://docker-dev-01.internal.emerlyn.com>//matches sudoers pattern
   +office: false @ hostname_matches()
   /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:829//
   //Aug 12 08:45:00 sudo[31732] <- hostname_matches @
   /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:830 := false//
   //Aug 12 08:45:00 sudo[31732] sssd/ldap sudoHost '+office' ... not//
   //Aug 12 08:45:00 sudo[31732] <- sudo_sss_check_host @
   /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/sssd.c:687 := false/
It doesn't seem to find this host as part of the hostgroup, I suspect the problem is because of this entry in nsswitch: 

     netgroup:       nis sss

Could you try just 'sss' or 'files sss' ?

A successful hostgroup match should look something like this instead:

       /Aug 12 14:20:32 sudo[25075] val[0]=+nonproduction//
       //Aug 12 14:20:32 sudo[25075] -> addr_matches @ ./match_addr.c:190//
       //Aug 12 14:20:32 sudo[25075] -> addr_matches_if @
       ./match_addr.c:62//
       //Aug 12 14:20:32 sudo[25075] <- addr_matches_if @
       ./match_addr.c:100 := false//
       //Aug 12 14:20:32 sudo[25075] <- addr_matches @
       ./match_addr.c:200 := false//
       //Aug 12 14:20:32 sudo[25075] -> sudo_sss_ipa_hostname_matches @
       ./sssd.c:558//
       //Aug 12 14:20:32 sudo[25075] -> hostname_matches @ ./match.c:740//
       //Aug 12 14:20:32 sudo[25075] <- hostname_matches @
       ./match.c:751 := false//
       //Aug 12 14:20:32 sudo[25075] -> netgr_matches @ ./match.c:856//
       //Aug 12 14:20:32 sudo[25075] (rhel7-ipa-client.example.com, *,
       example.com) found in netgroup nonproduction//
       //Aug 12 14:20:32 sudo[25075] <- netgr_matches @ ./match.c:909
       := true//
       //Aug 12 14:20:32 sudo[25075] IPA hostname
       (rhel7-ipa-client.example.com) matches +nonproduction => true//
       //Aug 12 14:20:32 sudo[25075] <- sudo_sss_ipa_hostname_matches @
       ./sssd.c:569 := true//
       //Aug 12 14:20:32 sudo[25075] sssd/ldap sudoHost
       '+nonproduction' ... MATCH!//
       //Aug 12 14:20:32 sudo[25075] <- sudo_sss_check_host @
       ./sssd.c:614 := true/

Kind regards,
Justin Stephenson

On 08/12/2016 10:00 AM, Jeff Goddard wrote:
The rule is defined that all members of the developer group have sudo access to all commands available on the machines in the office group. 

Jeff
On Fri, Aug 12, 2016 at 9:58 AM, Jakub Hrozek <[email protected] <mailto:[email protected]>> wrote: 

    On Fri, Aug 12, 2016 at 08:53:53AM -0400, Jeff Goddard wrote:
    > Jakub,
    >
    > Here is the log file output:

    How is the sudorule defined?

    > Aug 12 08:45:00 sudo[31732] user_in_group: user jgoddard NOT in
    group admin
    > Aug 12 08:45:00 sudo[31732] <- user_in_group @
    > /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/pwutil.c:855 := false
    > Aug 12 08:45:00 sudo[31732] user jgoddard matches group admin:
    false @
    > usergr_matches()
    /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:940
    > Aug 12 08:45:00 sudo[31732] <- usergr_matches @

    Here it looks like sudo tried to match user's groups against the
    groups
    allowed to run sudo and admin didn't match.




--
Jeff Goddard
Director of Information Technology
Emerlyn Technology

Email: [email protected] <mailto:[email protected]>
Telephone: (603) 447-8571
Toll free: (888) 363-7596 ext. 108
Fax: (603) 356-3346






-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to